This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ob1lan
Collaborator
‎2020-10-15 02:59 AM

Mobile Access blade logs not imported in SIEM

Hi,

I am working on integrating checkpoint logs via log exporter(syslog) and detected that we are not receiving logs from “ Mobile Access” blade. I would like to have these logs in my SIEM.

We made this changes in FilterConfiguration.xml file but couldn’t succeed. Help in this context is highly appreciated :   

<filters>

        <filterGroup operator="and">

                <field name="action" operator="and">

                </field>

                <field name="origin" operator="or">

                </field>

<field name="product-family" operator="or">

                              <value operation="eq">TP</value>

                              <value operation="eq">Access</value>

                             <value operation="eq">Mobile</value>

                             <value operation="eq">EndPoint</value>

                </field>

                <field name="product" operator="or">

                              <value operation="eq">SmartDefense</value>

                              <value operation="eq">Security Gateway/Management</value>

                            <value operation="eq">VPN-1 & FireWall-1</value>

                             <value operation="eq">Mobile Access</value>

                             <value operation="eq">Firewall</value>

                             <value operation="eq">Identity Awareness</value>

                </field>

        </filterGroup>

</filters>

 

Best regards,

 

Antoine

0 Kudos
3 Replies
Dror_Aharony
Employee Alumnus
Employee Alumnus
‎2020-10-15 06:07 AM

Hi Antoine,

You need to remove the entire product-family section (it's not supported like this. Only via the product field), or simply use the built-in filter-blade-in: "Access,TP,Mobile,EndPoint"

like this: cp_log_export set name <X> filter-blade-in "Access,TP,Mobile,EndPoint"

The upper command will translate to all these blades/products below & you can remove any one you don't need exported.

Restart log-exporter: cp_log_export restart name <X>


<field name="product" operator="or">
<value operation="eq">Security Gateway/Management</value>
<value operation="eq">VPN-1 & FireWall-1</value>
<value operation="eq">Firewall</value>
<value operation="eq">Application Control</value>
<value operation="eq">URL Filtering</value>
<value operation="eq">Content Awareness</value>
<value operation="eq">Connectra</value>
<value operation="eq">Mobile Access</value>
<value operation="eq">Compliance blade</value>
<value operation="eq">Core</value>
<value operation="eq">DDoS Protector</value>
<value operation="eq">Identity Awareness</value>
<value operation="eq">Identity Logging</value>
<value operation="eq">UA WebAccess</value>
<value operation="eq">Anti-Bot</value>
<value operation="eq">Anti Malware</value>
<value operation="eq">Threat Emulation</value>
<value operation="eq">IPS</value>
<value operation="eq">IPS-1</value>
<value operation="eq">SmartDefense</value>
<value operation="eq">MTA</value>
<value operation="eq">Anti-Virus</value>
<value operation="eq">New Anti Virus</value>
<value operation="eq">Anti Virus</value>
<value operation="eq">Anti-Spam and Email Security</value>
<value operation="eq">Threat Extraction</value>
<value operation="eq">MTA</value>
<value operation="eq">WIFI Network</value>
<value operation="eq">Mobile App</value>
<value operation="eq">OS Exploits</value>
<value operation="eq">Device</value>
<value operation="eq">Network Security</value>
<value operation="eq">Cellular Network</value>
<value operation="eq">Network Access</value>
<value operation="eq">iOS Profiles</value>
<value operation="eq">Text Message</value>
<value operation="eq">On-device Network Protection</value>
<value operation="eq">Endpoint</value>
</field>

Ob1lan
Collaborator
‎2020-10-16 04:00 AM
In response to Dror_Aharony

Hi, 

Thanks for your reply. Now the SIEM team is receiving logs, but they are missing an important information : the username for the log entry.

In SmartConsole, we see all information for the entry, including the username. However, the exported log seems to be missing that information.

Is there some kind of anonymization that occurs while exporting the logs to a SIEM ? Can we control that to make sure it's exported as well ?

Thanks in advance.

Regards,

Antoine

0 Kudos
Ob1lan
Collaborator
‎2020-10-26 05:06 AM
In response to Ob1lan

Anybody knows if that's normal behavior from the collector, or if we can control whether usernames are included in the exported logs ?

Thanks !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events